Phase-Remapping Attack in Practical Quantum Key Distribution Systems 
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Quantum key distribution (QKD) can be used to generate secret keys between two distant parties. 
Even though QKD has been proven unconditionally secure against eavesdroppers with unlimited 
computation power, practical implementations of QKD may contain loopholes that may lead to 
the generated secret keys being compromised. In this paper, we propose a phase-remapping attack 
targeting two practical bidirectional QKD systems (the "plug & play" system and the Sagnac 
system). We showed that if the users of the systems are unaware of our attack, the final key shared 
between them can be compromised in some situations. Specifically, we showed that, in the case of 
the Bennett-Brassard 1984 (BB84) protocol with ideal single-photon sources, when the quantum bit 
error rate (QBER) is between 14.6% and 20%, our attack renders the final key insecure, whereas 
the same range of QBER values has been proved secure if the two users are unaware of our attack; 
also, we demonstrated three situations with realistic devices where positive key rates are obtained 
without the consideration of Trojan horse attacks but in fact no key can be distilled. We remark 
that our attack is feasible with only current technology. Therefore, it is very important to be aware 
of our attack in order to ensure absolute security. In finding our attack, we minimize the QBER 
over individual measurements described by a general POVM, which has some similarity with the 
standard quantum state discrimination problem. 

PACS numbers: 03.67.Dd 



O 
O 

c ■ 

=5 

cr 



X 



I. INTRODUCTION 



One important practical application of quantum in- 
formation is quantum key distribution (QKD) [l|, 0, 
which generates secret keys between two distant parties, 
commonly known as Alice and Bob. The advantage of 
QKD is that it has been proven unconditionally secure 
even when an eavesdropper, Eve, has unlimited compu- 
tation power allowed by the law of quantum mechanics 
0, H, m 0, B @- On the other hand, security proofs 
are only as good as their assumptions that real-life QKD 
systems may not accomplish due to imperfections. This 
may open up new attacks for Eve. Moreover, given a 
combination of imperfections, Eve may try to mix and 
pick the best (perhaps a combined) eavesdropping strat- 
egy to maximize her chance of breaking a QKD system. 
It is thus important to construct a catalog of known at- 
tacks against practical QKD systems. Moreover, it is 
imperative to study specific defenses against proposed 
attacks. Notice that implementations of defenses may 
open up new security loopholes. It is not enough to say 
that defense strategies exist in principle. One must also 
battle-test them thoroughly in experiments to see if they 
are of any good in practice. We remark that the construc- 
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tion of generally agreed theory of eavesdropping attacks 
and defenses in realistic "plug-and-play" systems is, in 
fact, a five-year goal in the US funding agency ARDA's 
quantum cryptography roadmap [l(| • 

Practical difficulties associated with phase and polar- 
ization instabilities over long-distance fiber have led to 
the development of two bidirectional QKD structures: the 
"plug & play" auto-compensating QKD structure (Tlj ] 
and the Sagnac QKD structure [Kj CUl • In both cases, 
one of the legitimate users, Bob, sends strong laser pulses 
to the other user, Alice. Alice encodes her information 
on the phase of the strong pulse, attenuates it to single 
photon level, and then sends it back to Bob. Because 
Alice allows signals to go in and go out of her device, 
this opens a potential backdoor for Eve to launch various 
Trojan horse attacks, which are any attacks that involve 
more than just passive attacks. Trojan horse attacks per- 
formed by sending probe signals into Alice's and Bob's 
equipments have been analyzed in [Tij ]; Trojan horse at- 
tacks exploiting the detector efficiency mismatch have 
been analyzed in [l5| and also by us [16]. In this paper, 
we propose a specific type of Trojan horse attack, which 
we call the phase-remapping attack aiming at bidirec- 
tional QKD system using phase coding. We show that, 
when Alice and Bob are unaware of our attack, the final 
key shared between them can be compromised in some 
situations. Also, our attack is feasible with only current 
technology. Therefore, it is very important for Alice and 
Bob to be aware of our attack when using the "plug & 
play" QKD systems or the Sagnac QKD systems and to 
correctly identify which situations are secure and which 
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FIG. 1: Schematic diagram of the Sagnac QKD system em- 
ploying AOM-based phase modulator: LD - pulsed laser 
diode; Cir - circulator; C - 2x2 coupler; SPD1, SPD2 - Single 
Photon detector 



are not. 

In the following, we first describe in Sec. Inland Sec. lIIII 
how phase remapping is performed in the two QKD sys- 
tems implementing the Bennett-Brassard 1984 (BB84) 
protocol [1], and then we illustrate situations in which the 
final keys can be compromised, both in the perfect-single- 
photon-source case and in the weak-coherent-state-source 
case. For the perfect-single-photon-source case (Sec. lIVI) . 
we aim to find the smallest quantum bit error rate 
(QBER) under the phase-remapping attack and show 
that it is lower than the known QBER threshold under 
which secret keys can be distilled when Trojan horse at- 
tacks are not taken into account. We formulate our prob- 
lem as minimizing the QBER over an individual mea- 
surement described by a general POVM. For the weak- 
coherent-state-source case (Sec. [V}, we demonstrates 
three specific eavesdropping strategies with the phase- 
remapping attack (two of them are also combined with 
the fake signals attack [15| which exploits detection effi- 
ciency mismatch between two detectors) that lead Alice 
and Bob to wrongly believe that they can distill secret 
keys at positive rates but in fact no secret key can be 
generated. We finally conclude in Sec. IVI1 



II. PHASE-REMAPPING ATTACK IN SAGNAC 
QKD SYSTEMS 



FIG. 2: The phase difference between the four states sent by 
Alice is changed by Eve to S. In standard BB84, 8 — n/2. 
(Note that the states are drawn so that orthogonal states 
are 7r/2 apart in the diagram but are n apart in the actual 
phases.) 



wave at the time of diffraction [l7j . S 2 and Si arrive 
at the AOM at different times with the time difference 
ti — ti = n(L 2 — L\)/C — nAL/C. Here, n is refractive 
index of optical fiber and C is the speed of light in vac- 
uum. The phase difference between Si and S 2 after they 
go through the fiber loop is 

A0 = 4>{t 2 ) - <j>(h) = 2nf(t 2 - h) = 2irnALf/C. (1) 

By modulating the AOM's driving frequency /, the rel- 
ative phase between Si and S2 can be modulated. This 
is the basic mechanism of our AOM-based phase modu- 
lator. 

In standard BB84, Alice can encode phase information 
{0, 7r/2, 7r, 37r/2} by modulating the AOM with frequency 
{/o, /o+A/, / +2A/, / +3A/}. From Eq. ©, the phase 
difference depends on both the AOM frequency / and the 
fiber length difference AL. So, in principle, Eve can build 
a device similar to Bob's one except with different fiber 
length and launch an "intercept-and-resend" attack. 

Suppose Eve uses her device to send laser pulses to 
Alice. Unaware that the pulses come from Eve, Alice 
shifts the light frequency by one of the values {/o,/o + 
Af, f + 2 A/, /o + 3A/}. By choosing a suitable fiber 
length difference L 2 — L\, Eve can re-map the encoded 
phase information from {0, 7r/2, it, 37r/2} to {0, 5, 25, 35}, 
where 5 is under Eve's control. This is illustrated in 
Fig. El 



The basic structure of the Sagnac QKD system [l3[ 
is shown in FigJTJ Here, to simplify our discussion, we 
neglect Bob's phase modulator. Note that we use an 
acoustic-optic modulator (AOM) as a phase modulator 
on Alice's side. The input laser pulse is split by the fiber 
coupler into Si and S2, which go through the fiber loop 
clockwise and counterclockwise, respectively. Note that 
the AOM is placed in the fiber loop asymmetrically, with 
fiber lengths Li and L 2 on the two sides. For the first 
order diffracted light, the AOM introduces a frequency 
shift equal to its driving frequency (due to Doppler ef- 
fect). The phase of the diffracted light is also shifted by 
an amount which is equal to the phase of the acoustic 



III. PHASE-REMAPPING ATTACK IN "PLUG 
& PLAY" SYSTEMS 

In a "plug & play" QKD system [ll[, the information 
is encoded on the relative phase between a signal pulse 
and a reference pulse. The phase modulator inside Alice 
is supposed to be activated in such a way that only the 
signal pulse is modulated while the reference pulse is not. 
Unfortunately, in current QKD systems, Alice does not 
monitor the arrival times of the two pulses. Instead, she 
just uses one of them as the trigger signal to determine 
when she should activate her phase modulator. In this 
case, Eve can time-shift the signal pulse so that it will 
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FIG. 3: The dashed line is the original signal pulse intended to 
be modulated at the middle of the phase modulator's response 
to have a phase of tt/2. Eve time shifts the pulse to the one in 
solid line. This pulse now arrives at the middle of the rising 
edge and acquires a phase of 7r/4 instead. 



arrive at the phase modulator on its rising or falling edge 
and thus will be partially modulated (see Fig. [3]). (The 
LiNbOs waveguide-based phase modulators used in cur- 
rent QKD systems have rise times ranging from lOOps to 
Ins). Therefore, the relative phase between the signal 
pulse and reference pulse will be smaller than what it is 
supposed to be. In principle, by carefully controlling the 
amount of time shift, Eve can re-map the encoded phase 
information from {0, tt/2, it, 37r/2} to {0, 8, 28, 38}, where 
<5e[0,7r/2]. 



IV. UPPER BOUND ON QBER OF 
PHASE-REMAPPING ATTACK WITH A 
PERFECT SINGLE-PHOTON SOURCE 

We have described the possibility of Eve changing the 
phase difference 8 between the states sent by Alice in 
two practical QKD systems. The important question is: 
is this ability of Eve harmful to Alice and Bob in any 
way? As we show in this section, Eve can use this ability 
to compromise the final key shared between Alice and 
Bob under some situations in the perfect-single-photon- 
source case. We show this by considering Eve launching 
a specific intercept-and-resend attack that is optimized 
for the phase difference 8 that she has chosen for Alice's 
states. Note that any intercept-and-resend attack com- 
pletely breaks the security of any QKD protocol, meaning 
that Alice and Bob cannot establish a secret key of any 
length [18]. Thus, we want to show that our intercept- 
and-resend attack leads to situations that Alice and Bob 
(wrongly) believe that they can generate a secret key. 
The quantum bit error rate (QBER) is often used as a 
measure to judge whether a secret key can be generated 
in a QKD experiment. The QBER can be obtained by 
Alice and Bob in a QKD experiment by publicly testing 
the error rates in a random subset of the transmitted bits. 
They use the QBER to determine the amount of eaves- 
dropping on the channel and whether to proceed with the 
key generation process. Therefore, we want to show that 



our intercept-and-resend attack causes a quantum bit er- 
ror rate (QBER) that is lower than what is tolerable 
without any Trojan horse attacks. In this case, there is a 
range of QBER's that is secure without any Trojan horse 
attacks but is now insecure with our Trojan horse attack. 
If Alice and Bob are unaware of our Trojan horse attack 
and treat these situations as secure, then their final secret 
key is compromised and Eve has some information on it. 
In the following, we first consider an intercept-and-resend 
attack preceded by the phase-remapping operation. In 
this attack, Eve's measurement is optimized and the re- 
sent states are the BB84 states. We then consider three 
extensions to the attack strategy by optimizing over the 
resent states and/or combining the phase remapping at- 
tack with the fake signals attack [l5|. In all cases, we 
show that the final key can be compromised if no Trojan 
horse attack is considered. 



A. A simple intercept-and-resend attack with 
phase remapping 

We consider the BB84 protocol with a perfect single- 
photon source and detectors. Note that any QBER lower 
than 20% is tolerable in BB84 without any Trojan horse 
attacks [ljj [2(1 l2lj . meaning that a secret key can be 
distilled. Thus, we aim to construct an intercept-and- 
resend attack that produces a QBER lower than this. 
The intercept-and-resend attack we consider here is sim- 
ilar to the one considered earlier by us 22|. Here, we 
optimize the attack to the phase difference between Al- 
ice's states, 8, which is set by Eve. 

The four states sent by Alice have phases 0, 8, 28, and 
3<5, where the phase offset is set to be zero for simplicity 
and without loss of generality. We assume that Eve uses 
the same detection scheme as Bob does. Thus, for a 
state with phase 6, Eve detects the bit values "0" and 
"1" with probabilities cos 2 (|) and sin 2 (|), respectively. 
To facilitate the analysis, we denote Alice's four states as 

\(p k ) = cos^| 0z ) +s in^| U (2 ) 

where k — 0, ... ,3 are the indices for the four states, and 
\jz) ;i = 0, 1 are the eigenstates of the Z component of 
the Pauli matrix representing the bit values "j" . Simi- 
larly, \j x ) = (|0 z ) + (-l)^' |1,»/V2, 3 = 0, 1 are the eigen- 
states of the X component of the Pauli matrix. Here, \(po) 
and \(p2) are "0" and "1" in one basis, whereas \ip\) and 
\{pz) are "0" and "1" in the other basis. Note that the 
normal BB84 states have the phase difference 8 = tt/2; 
we denote the BB84 states as \ifik)- 

We consider the following intercept-and-resend attack 
by Eve: Eve captures the state sent by Alice, \tpk), and 
perform a POVM measurement on it. The POVM con- 
sists of five elements, {M vac ,Af; : i — 0, ...,3}, with 
M vac + Yli=o Mi = I- For the outcome corresponding 
to M vac , Eve sends a vacuum state to Bob, whereas, for 
outcome i, she sends the BB84 state \ipi) to Bob. 
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FIG. 4: QBER upper bound of Trojan horse attacks for BB84. 
The top two curves correspond to the phase- remapping attack 
only whereas the bottom two cures correspond to the combi- 
nation of the phase-remapping attack and the fake signals 
attack of Ref. [l5l | (with efficiency mismatch of 0.08). The 
QBER of the two solid curves are obtained by minimizing 
over the POVM measurement by Eve for each phase differ- 
ence 5 and assuming a fixed state sent to Bob. The QBER 
of the two dashed curves are obtained by minimizing over the 
POVM measurement by Eve and the state sent to Bob for 
each phase difference 8. Note that the QBER values approach 
some minimum values (15.5%, 14.6%, 10.1%, and 5.79%) as 
the phase difference between the states approaches zero. 



For a fixed phase difference 5, we want to favor Eve 
by minimizing the QBER caused by this attack over 
the POVM elements. This QBER minimization prob- 
lem is similar to the quantum state discrimination prob- 
lem [23j], where a given state is to be identified among 
a set of known states. In our case, since the four 
states are not linearly independent, unambiguous dis- 
crimination (meaning error free) is not possible [24| . 
In the standard ambiguous state discrimination prob- 
lem, the total probability of incorrectly identifying the 
state Ylijtj Tr(Mj \(pj) (</3j|)/4 is minimized subject to 
Si=o Mi = I, where the division by four is due to Al- 
ice sending one of the four states with equal probabili- 
ties. On the other hand, in our problem, the quantity to 
minimize is the QBER, which is the error rate on Bob's 
measured signals, not Eve's error probability. We find the 
QBER as follows. Consider Mq first. When Mq occurs, 
Eve sends \tpo) to Bob. If Alice actually sent \tpo}, then 
there is no error. However, if Alice actually sent ^2) and 
Bob uses the measurement basis {\<po) , \<P2)} (only the 
cases that Alice and Bob use the same basis are consid- 
ered) , then Bob always gets an error and thus the QBER 
is 1; on the other hand, if Alice actually sent \ip±) or 
|(^3) and Bob uses the measurement basis {\(p\} , ^3}}, 
then the QBER is only 1/2. Therefore, the (unnor- 
malized) QBER for the M case is [±Tr(M (<£i|) + 
Tr(M \<f 2 ) {<h\) + |Tr(M |0 3 ) (£ 3 |)]/4. Comparing this 
with the total error probability of the state discrimina- 
tion problem, we see that here different penalties are 



incurred for different incorrectly identified states. To 
form the final QBER, we need to add the (unnormal- 
ized) QBER for the other Mi's and normalize the sum 
with the probability of Eve causing clicks on Bob's de- 
tectors, giving us 



QBER 



EtoTr(M^) 



(3) 



where 



Li = 2 Wl+i) (<fii+i\ + \<P2+i) (¥>2+i\ 

+ \ \<?3+i) (<P3+i\ > 
3 

B, = \<fk) (<Pk\ • 

fc=0 



(4) 
(5) 



We minimize the QBER over positive Mj's (see Appendix 
for detail). Note that it is not necessary to impose the 
constraint Y^i=o Mi < I, since any solution to this uncon- 
strained problem can always be scaled down sufficiently 
to satisfy this constraint. Also note that normalization 
of the QBER is necessary since we allow Eve to get an 
inconclusive result and send a vacuum state to Bob (i.e., 
we allow M vac to be non-zero) . This is in contrast to the 
standard ambiguous state discrimination problem where 
all results have to be conclusive. 

In general, Eve's action is a solution to some optimiza- 
tion problem, minimizing some general penalty function. 
The QBER and the total error probability in the stan- 
dard state discrimination problem are two special cases 
of such general penalty functions. In our Trojan horse 
attack problem, we use the QBER as the objective func- 
tion since Alice and Bob can determine this value exper- 
imentally and use this value to estimate the amount of 
eavesdropping on the quantum channel. 

Figure [4] plots the smallest QBER induced by this at- 
tack against the phase difference 8 (top curve). This 
curve is achieved by Eve resending only the states |0 2 ) 
and/or |l x ) to Bob. Due to the symmetry in their phase- 
remapped states \<fo) and \<f3,}, the resultant QBER's 
are equal (see Fig. [5]). Also, it turns out that the QBER 
caused by resending the states \l z ) or |0 X ) is higher than 
this curve in the range of 8 shown in the figure. We 
observe that this QBER curve approaches 15.5% as the 
phase difference 8 approaches zero. Note that there is 
a discontinuity at S = 0. When the phase difference is 
exactly zero, all four states sent by Alice are exactly the 
same. Thus, Eve cannot learn anything about Alice's 
bits. In this case, Eve can either send random states to 
Bob (in which case the QBER is ^) or send only vacuum 
states to Bob (in which case the QBER is undefined since 
Bob did not have any click). The source of this discon- 
tinuity is that we allow Eve to get an inconclusive result 
and send a vacuum state to Bob (i.e., M vac ^ 0). Note 
that in practice, one may restrict Eve's strategies by re- 
quiring a certain minimum detection probability at Bob's 
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FIG. 5: A suboptimal strategy for Eve. She chooses Mo = 
(^1 where is a state orthogonal to |</?2). This strategy 
causes a QBER of 16.7%. 



side, meaning that Eve has to resend some states to Bob 
with a minimum probability. As a consequence, Eve may 
launch our attack only at phase differences 6 larger than 
some small finite value, in which case, the discontinuity 
at 6 = is irrelevant. In the standard state discrimina- 
tion problem, no inconclusive result is allowed and thus 
the error probability approaches 1/2 as S approaches zero 
with no discontinuity. 

We can understand the behaviour of the top curve in 
Fig. 2] at small S by considering a suboptimal intercept- 
and-resend strategy for Eve. Let's consider that Eve is 
only interested in finding a good Mo and assigns Mi = 
M 2 = M 3 = 0. Since \(p2) causes the largest QBER of 1 
(whereas \tpi) and \tp 3 ) cause only 1/2), Eve chooses M 
to be a projection onto a state orthogonal to ^2) (see 
Fig. [5]). Thus, the probabilities of Mo occurring when 
Alice sent Upo), \<fii), \<f>2), and ^3) are sin 2 (2<5'), sin 2 (<5'), 
0, and sin 2 ((5'), respectively. Here, we denote 8' = 5/2. 
Using sin(x) = x for small x and Eq. ([3]), the QBER is 
{\5' 2 + \5' 2 )/{&5' 2 ) = \ = 16.7%. Note that this value is 
just a little bit greater than the QBER of 15.5% of our 
optimal attack strategy plotted in Fig. [4] Also note that 
A/ vac is equal to \tjp2) (¥>a| with a probability of occurrence 
of 1 - 3<5' 2 /2 (it is 3(5' 2 /2 for M ), thereby introducing a 
discontinuity in QBER at 6 = 0. 

The significance of Fig. [5] is that there is a range of 
phase differences 5 that causes the QBER to go below 
20%, which is shown in Ref. [2(| [HJ to be a tolerable 
QBER in BB84 when Eve does not have the ability to 
change the 6. This proves that Eve's ability to change 
the phase difference between Alice's states is helpful to 
Eve in breaking the security of BB84. Specifically, when 
Alice and Bob are unaware of our Trojan horse attack, 
Eve can learn some information on the final key shared 
by Alice and Bob. This can be seen as follows: Suppose 
Eve launches this attack and induces a QBER of, say, 
15.6%. Since this is lower than 20% which is when the 
key distillation technique in Ref. [l9| is applicable, Alice 



and Bob decide to apply this technique to distill a final 
key. On the other hand, the result of Ref. [18| says that 
no secret key can be established between Alice and Bob 
when Eve launches an intercept-and-resend attack. Thus, 
the final key shared by Alice and Bob is not completely 
secret and Eve has some information on it. 

It is important that the transmittance (which is the 
fraction of Alice's signals received by Bob) in the case 
of Eve launching this attack is similar to that when Eve 
is not present and the system is in normal operation, 
since, otherwise, Bob may be able to notice Eve's inter- 
vention by observing the unusually low transmittance. 
Obviously, the quantum channel loss directly affects the 
transmittance. In our intercept-and-resend attack, Eve 
can avoid her signals experiencing the quantum channel 
loss. Specifically, she can perform her measurement at 
the output port of Alice, and send her measurement re- 
sult classically to her ally located at Bob's side. Her ally 
then resends a signal, based on the measurement result, 
to Bob. In this way, no channel loss is experienced by Eve 
(assuming that the classical channel is perfect). How- 
ever, this does not mean that the transmittance in our 
attack is one. This is because, based on the Eve's mea- 
surement result, she occasionally sends a vacuum state 
to Bob, thus reducing the transmittance. In a typical 
experimental setup j25[, the loss in the fiber is about 0.2 
dB/km. Thus, with an 100 km-long fiber, the transmit- 
tance is about 10~~ nr^ — 0.01. In our intercept-and- 
resend attack that minimizes the QBER, it can be shown 
that for 5 > tt/20, transmittance greater than 0.01 can 
be achieved. From Fig. [H when 8 = tt/20, the QBER is 
about 15.6%. This means that Eve can induce the same 
transmittance as in the normal operation of the system 
and still she can learn some information about the final 
key shared by Alice and Bob. 

We remark that the POVM {M vac , M t : i = 0, . . . , 3} 
of our intercept-and-resend attack is feasible with current 
technology since each POVM element Mi is a projection 
onto some state and can be implemented as one direction 
of an orthogonal projection. Thus, multiple orthogonal 
projections can be arranged to realize the projections of 
the POVM element Mi. 



B. Attack extensions 

We may further improve our attack by allowing Eve 
to send arbitrary states to Bob with arbitrary number of 
POVM elements. Note that changing the states sent to 
Bob only affects the penalty values in the QBER (i.e., 
the three coefficients appearing before the three states in 
Eq. Q are affected). By using a similar analysis as in 
Ref. [22|], we obtain a QBER of 14.6% in this case, about 
1% lower than the case of Eve sending BB84 states to 
Bob. The QBER upper bound with this improvement is 
shown in Fig. 2] as the second curve from the top. 

We may combine our phase-remapping attack with an- 
other Trojan horse attack proposed in Ref. [HI], a fake 
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FIG. 6: Efficiencies of two detectors. When Eve time shifts 
the signals to arrive at Bob at time to (ti), the efficiency of 
detector SPDO (SPD1) is higher than that of detector SPD1 
(SPDO). 
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FIG. 7: QBER upper bound of Trojan horse attacks for 
SARG04. The top two curves correspond to the phase- 
remapping attack only whereas the bottom two cures cor- 
respond to the combination of the phase-remapping attack 
and the fake signals attack of Ref. [Tg|. The QBER of the 
two solid curves are obtained by minimizing over the POVM 
measurement by Eve for each phase difference 5 and assuming 
a fixed state sent to Bob. The QBER of the two dashed curves 
are obtained by minimizing over the POVM measurement by 
Eve and the state sent to Bob for each phase difference 5. 
Note that the QBER values approach some minimum values 
(23.7%, 22.7%, 11.6%, and 11.3%) as the phase difference be- 
tween the states approaches zero. 



signals attack, to obtain even further improvement on 
the QBER upper bound. In the fake signals attack, Eve 
takes advantage of the detector efficiency mismatch by 
time shifting the signals entering Bob's detector pack- 
age. Essentially, by time shifting the arriving signal from 
the normal arrival time, the efficiency of the detector 
for detecting "0" becomes different from the efficiency 
of the detector for detecting "1" (see Fig. [5]). Eve may 
make use of this difference in the efficiencies to her advan- 
tage. Ref. [Til proposed a specific intercept-and-resend 
attack with a fixed measurement (the normal BB84 mea- 
surement in the X and Z bases) and fixed resent states 
(the normal BB84 states but with the time shifted) and 
showed that it is possible to compromise the QKD sys- 
tem if Alice and Bob are unaware of this attack. Here, we 
combine our phase-remapping attack with the fake sig- 
nals attack. Specifically, Eve performs phase remapping 
of Alice's states (which is also achieved by time shifting), 
measures Alice's output signals, and resends to Bob some 
signals having the arrival time shifted from the normal ar- 
rival time. We may proceed to compute the QBER upper 
bound by minimizing the QBER over arbitrary POVM 
measurements but with the same resent states as those 
proposed in Ref. [lj| (e.g., when Eve detects the state 
\<fio), she resends the |— ) state time shifted to a location 
where the detector for bit "0" has a higher efficiency). 
The QBER is the same as Eq. ([3]) but with different Li 
and Bi for this attack. For example, those corresponding 



to sending the |— ) state are 

La = (*o) \<Po) (<Po\ + r)i(to) {<Pi\ + 

2%(to)|<^2) (<P2\ (6) 

Bo = ^(Voito) + Vi(to))[\$o) (<Po\ + \<P*) (<P2\] + 

m(to)[\0i) (<fi\ + 1^3) {<pa\], (7) 

where rjo(to) (Vl(to)) * s the efficiency of the detector for 
bit "0" ("1") at time to. This combinational attack re- 
sults in the third curve from the top in Fig. [4l with 
the assumption that the efficiency mismatch between 
the two detectors (i.e., 771 (*o ) /^o (*o ) ) is 0.08. Further- 
more, by minimizing the QBER over the measurements 
and also the states resent by Eve, we obtain the bottom 
curve in Fig. [H with the same efficiency mismatch. As 
shown in the figure, there is considerable improvement 
in the QBER upper bound by combining with the fake 
signals attack. Note that the fake signals attack alone 
corresponds to the endpoints of the bottom two curves 
at 5 = tt/2 (the QBER values are 12.3% and 9.82%). 
Moving along the bottom curve, we see that by combin- 
ing with our phase-remapping attack, the QBER upper 
bound decreases significantly from 9.82% to 5.79%. 

Our phase-remapping attack and also the fake sig- 
nals attack work against not only on the BB84 protocol, 
but also the Scarani-Acin-Ribordy-Gisin 2004 (SARG04) 
protocol [26( . We have plotted an analogous figure for the 
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SARG04 protocol in Fig. [7] The methods for obtaining 
these curves are similar to that for the BB84 protocol. 
In this figure, we have also used the efficiency mismatch 
of 0.08 for the fake signals attack. We remark that the 
tolerable QBER for the SARG04 protocol is 19.9% [H[ 
when Alice and Bob are not aware of any Trojan horse 
attacks. Similar to the conclusion for the BB84 proto- 
col, since, as shown in Fig. \7\ the QBER values induced 
by our phase-remapping attack together with the fake 
signals attack for a large range of phase difference 6 are 
below the tolerable QBER, the security of the SARG04 
protocol can be compromised. 



V. PHASE-REMAPPING ATTACK WITH A 
WEAK COHERENT-STATE SOURCE 

In this section, we consider the phase-remapping at- 
tack when a weak coherent-state source is used, which 
is in contrast to Sec. IIVI where a single-photon source is 
assumed. Here, we aim to show that there exist some sit- 
uations where a normal post-processing would lead Alice 
and Bob to wrongly believe that the secret key genera- 
tion rate is positive but in fact it is zero. In order to 
ensure that no secret can be extracted, we again make 
Eve perform the time-shifting operation to achieve phase 
remapping followed by an intercept-and-resend attack as 
in Sec. IIVI This time, however, Eve may perform addi- 
tional operations before her intercept-and-resend attack. 
Since there can be more than one photon in a signal 
pulse traveling from Alice to Bob, Eve may perform a 
quantum non-demolition (QND) measurement to deter- 
mine the number of photons in the signal and then an 
intercept-and-resend attack that may dependent on the 
photon number. However, in the three strategies that we 
will discuss below, Eve does not need to perform such 
a QND measurement. Indeed, our three strategies are 
feasible with current technology. In any case, any en- 
tanglement carried by any signal from Alice to Bob is 
destroyed by Eve's attack, regardless of the number of 
photons in the signal, since an intercept-and-resend at- 
tack corresponds to an entanglement-breaking channel. 
Therefore, the secret key generation rate must be zero 

On Alice and Bob's side, we adopt a specific post- 
processing step after the sifted key is obtained. Specif- 
ically, Alice and Bob establish security using the result 
of Gottesman-Lo-Lutkenhaus-Preskill (GLLP) (which 
assumes the worst-case estimations for the proportion of 
the single-photon signals and their QBER) and they op- 
tionally perform two-way classical post processing (us- 
ing B steps 1 19]). However, the two-way post-processing 
step in Ref. [191 ] cannot be applied directly, since a single- 
photon source is assumed there, whereas we are consid- 
ering a weak coherent-state source here. Instead, we 
apply the two-way post-processing technique for weak 
coherent-state sources proposed by us in Ref. [13] (al- 
though decoy states are used there, we will directly apply 



the technique without decoy states here). Afterwards, 
they perform standard error correction and privacy am- 
plification to distill the final key. We summarize a QKD 
model for realistic setups, a key generation rate formula 
for a weak coherent-state source, and a two-way post- 
processing procedure using B steps for a weak coherent- 
state source in Appendix |Bj This background material 
will be used later in this section. 

Let us construct three specific examples in which Eve 
can successfully trick Alice and Bob into believing that 
a secret key can be generated. We adopt a model in 
which all imperfections are attributed to Eve (as in 

Ref. @, M \m) 

or, viewed from a different perspec- 
tive, Eve can control the quantum channel and the de- 
tectors. In both examples, she treats all signals with 
two and more photons as single-photon signals and per- 
forms an intercept-and-resend attack on all non-vacuum 
signals. In the intercept-and-resend attack, we assume 
for simplicity that Eve's measurement only identifies the 
states \lpq) and ^3) and resends some arbitrary states 
to Bob [33I . The intercept-and-resend attack is opti- 
mized for the phase difference 5 that Eve has chosen 
to remap Alice's four states. Note that it is not diffi- 
cult to construct intercept-and-resend attacks specific to 
signals of certain numbers of photons in a similar way 
as that for the single-photon signals. The first example 
demonstrates the phase-remapping attack alone with a 
weak coherent-state source. The second and third ex- 
amples illustrate mixed attack strategies that combine 
the phase-remapping attack and the fake signals attack; 
and these two examples differ in whether or not Eve fine 
tunes her attack strategy to match the overall gain and 
the overall QBER (see Appendix iBl for their definitions) 
with the normal operating values. 

A. Strategy one 

In this strategy, Eve performs phase remapping fol- 
lowed by intercepting Alice's signal and resending only 
the states |0 Z ) and 11^) (with equal probabilities) to Bob 
[3^ |. This strategy produces the following overall gain 
and overall QBER, respectively, 

Qsignal = Pdarke _Al + (Ci + (1 - Ci)p dark ) 

(1-e"") (8) 

^signal = [pdarke _A1 /2 + (Ciei + (1 - Ci)pdark/2) 

(l-e-")]/Q signal , (9) 

where Pdark is the dark count probability, e\ and C± are, 
respectively, the QBER and the conclusive probability 
of the intercept-and-resend attack for the single-photon 
case. If there is no detection error (i.e. edetector = and 
it is the case in this example), e\ can be computed from 
Eqs. ©-([5]) or extracted from the top curve of Fig. [4] 
for a particular phase difference S (since the top curve of 
Fig. 0] is achieved by Eve resending only the states |0 Z ) 
and/or 1 1^,) to Bob). On the other hand, if edetector is 
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a [dB/km] 


T/Bob 


^detector 


Pdark 


/ 


0.21 


8.0% 


0% 


io- 7 


1.16 



TABLE I: Simulation parameters. Here, a is the channel 
loss coefficient, ?7Bob is the detector efficiency, elector is the 
detection error probability, pdark is the dark count rate, and / 
is the error correction inefficiency. See Appendix[B]for detail. 
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FIG. 8: Key generation rates at various distances. We use 
the QKD model parameters shown in Table [I] to compute the 
overall gain and the overall QBER from Eqs. The 
key generation rates are then computed using Eq. (|B14j) with 
three B steps for various distances. Here, the key rates should 
be zero (since Eve launches an intercept-and-resend attack) 
but are positive in the range 0.12 < 5 < 0.75, meaning that 
the keys generated in this range are insecure. 



Vo(to) A?i(*o) 


5 


Key rate 


0.0667 


1.02 


8.921 x 10~ 7 (2.610 x 10~ 7 ) 


0.04 


1.31 


1.622 x 10~ 6 (1.457 x 10 -6 ) 


0.03 


1.41 


2.038 x 10~ 6 (1.968 x 10" 6 ) 



TABLE II: Key generation rates for strategy two, in which 
Eve combines the phase-remapping attack with a fake signals 
attack. The first column is the efficiency mismatch of the two 
detectors (related to the fake signals attack); the second col- 
umn is the phase difference between the states sent by Alice 
chosen to maximize the key generation rate (related to the 
phase-remapping attack); the third column is the key gener- 
ation rate for the phase difference in the second column. The 
rates in brackets correspond to the case of only the fake sig- 
nals attack without the phase-remapping attack. Note that 
there is some improvement in the key rates by combining both 
attacks. We used a mean photon number of fj, = 8 x 10 -4 . 



shown in Fig. [5] The important point is that there is a 
range of phase differences (0.12 < 5 < 0.75) where the 
key generation rates are positive, but in fact no key can 
be generated since Eve's intercept-and-resend attack cor- 
responds to an entanglement-breaking channel [18]. This 
means that the final keys generated in this range are inse- 
cure. The key generation rates outside this range is zero 
with this particular strategy. In contrast to this strat- 
egy, the two strategies that we describe next combine 
the phase-remapping attack with the fake signals attack 
151. 



not zero, we need to incorporate it in the calculation of 
ex, which can be easily done. 

Note that both states \0 Z ) and |l x ) sent by Eve to 
Bob cause the same QBER's and the same gains on 
Bob's side (since their phase- remapped states \<po) and 
\tp 3 ) in Eq. @ are symmetrical (see Fig. [5])). The 
conclusive probability Ci, which is also the probabil- 
ity that Eve resends the states |0 Z ) and \l x ), is equal 
to d = Tr((M + M 3 )B)/4, where M and M 3 , with 
Mq + M 3 < /, are the POVM elements for resending the 
two states obtained by minimizing the QBER ei, and B 
as given in Eq. ((5|) is the density matrix sent by Alice 
to Eve. Also, we assume that Eve always sends a strong 
pulse to Bob, which is reflected in the exclusion of Bob's 
detector efficiency ?7Bob in Eqs. ((HI)-©, C\, and e\. 

Since Alice and Bob use only the result of GLLP to 
ensure security, the mean photon number \x they use 
may be very small. (In contrast, when the decoy-state 
method [H, H EH EH El, El E3 is used to ensure se- 
curity, the mean photon number may be high, e.g. on 
the order of 1.) Suppose that the mean photon number 
is /i = 8 x 10~ 4 and three B steps are used by Alice and 
Bob. We use the QKD model parameters shown in Ta- 
ble U to compute the overall gain and the overall QBER 
from Eqs. (JS])- dSJ) - We can then compute the key gen- 
eration rates using Eq. (|B14|) for various distances, as 



B. Strategy two 

This strategy combines the phase-remapping attack 
with the fake signals attack [15|]. Specifically, in this 
strategy, Eve performs phase-remapping followed by in- 
tercepting Alice's signals and resending a time-shifted 
single-photon signal of arbitrary state to Bob. Note that 
one crucial difference between this strategy and strategy 
one is that here Eve takes advantage of the efficiency mis- 
match of the detectors by time shifting her signals sent 
to Bob. To simplify the analysis, we assume that Eve 
always sends single-photon signals to Bob (in which case 
the ratio of the efficiencies is the largest (cf. Eq. (|B3j) 
and double clicks due to multiple photons of arbitrary 
states are avoided). We compute the overall gain and 
the overall QBER by using Eq. d8]) and Eq. ([9]) respec- 
tively. Here, we also assume that Eve only resends when 
she detects \ip ) and \(p 3 ) (as in strategy one); and thus 
the resending probability is C\ = Ti-(AI Q B Q + M 3 B 3 )/A 
where Bi is from Eq. ([7]). We allow Eve to resend arbi- 
trary states to Bob; thus e\ can be extracted from the 
bottom curve of Fig. 3] for a particular phase difference 
8 (if the efficiency mismatch is 0.08) or computed from 
Eqs. Q, (O, ([7]), and the corresponding equations for L 3 
and B 3 . 

We assume Alice and Bob use only the result of GLLP 
to ensure security and no B step is used. We use the QKD 
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model parameters shown in Table UJ and [i = 8 x 10 -4 to 
compute the overall gain and the overall QBER for this 
strategy. We then compute the key generation rates using 
Eq. (|B14|) for a few cases, and the result is tabulated 
in Table. [Til Here, we assume that when Eve detects 
\ipo) (|^3)), she time shifts the signal to arrive at Bob 
at time to (t±) as in Fig. [5] and we assume symmetry 
between the two detectors such that ryo(^o) = 771 (£1 ) = 
?7Bob and 771 (to) = T)o(ti), where r)i(t) is the efficiency 
of detector i at time t. As shown in the table, the key 
generation rates are positive but should be zero since 
this strategy is an intcrcept-and-resend attack strategy 
[l8|. Therefore, the final key Alice and Bob distill is 
compromised by Eve. Note that the key generation rates 
of this strategy are higher than that of strategy one. One 
drawback of this strategy is that the overall gain and the 
overall QBER induced by Eve may be quite different from 
what Alice and Bob may expect in a normal situation. 
To overcome this, we discuss a third strategy below that 
matches the induced gain and QBER with the normal 
operating values. Nevertheless, with this example, we 
have demonstrated that our phase-remapping attack in 
combination with the fake signals attack can compromise 
the security of the QKD system if Alice and Bob are 
unaware of the attack strategy. 

C. Strategy three 

In this strategy, Eve also performs a combination of the 
phase-remapping attack and the fake signals attack [l5[ 
as in strategy two, but here she adjusts the parameters 
of her attack to match the overall gain and the overall 
QBER with what Alice and Bob would expect in normal 
cases. Alice and Bob may have some idea on the param- 
eters of their system and may have certain expectation 
on the overall gain and QBER. Thus, Eve needs to ad- 
just her attack in order to simulate a normal situation. 
She does this by altering the dark count probability of 
Bob's detectors (as stated before, we assume that the 
detectors are under Eve's control) and changing the re- 
sending probability in the intercept-and-resend attack. 
Other than these two adjustments, strategy three is oth- 
erwise the same as strategy two. In this strategy, the 
overall gain and overall QBER are, respectively, 

Qsignai = yoe^ I + (7Ci + (l- 7 Ci)ro)(l-e^!jlO) 
Signal = [r e-"/2 + (7<7iei + (1 - 7 Ci)r /2) 

(l-e^)]/Q signal , (11) 

where Yq is the dark count probability Eve chooses (which 
can be different from the normal dark count probability 
Pdark) and < 7 < 1 is the resending probability for 
conclusive results. The other variables are the same as 
in strategy two. 

We assume that the normal situation is produced 
by the QKD model parameters shown in Table UJ and 
fx = 8 x 10~ 4 . From these parameters, the normal oper- 



Distance [km] 


»7o(*o) 
"71 (to) 


S 


Y 


7 


Key rate 


88.0 


0.04 


1.31 


1 x 10" 9 


0.096 


4.057 x 10~ 8 


87.0 


0.03 


1.41 


1.8 x 10 -8 


0.1 


5.838 x 10~ 8 



TABLE III: Two situations in which Eve's attack produces 
the same overall gain and overall QBER as that produced in 
a normal situation described by the parameters in Table UJ 
Here, Eve fine tunes her attack by adjusting the phase dif- 
ference 5, the dark count probability Yq, and the resending 
probability 7 for some distance and some efficiency mismatch 
between the two detectors. We assume that Alice and Bob 
perform the post-processing steps from GLLP and no B step 
as described in Appendix[B] The fact that the key generation 
rates, computed using Eq. (|B14|) . are positive means that Eve 
has successfully compromised the final keys. We used a mean 
photon number of /1 = 8 x 10 -4 . 



ating values of the overall QBER and the overall gain can 
be computed from Eqs. (|B12j) - (|B13p . Eve then chooses 
the phase difference 5, the dark count probability Yo, and 
the resending probability 7 for a fixed efficiency mismatch 
to match the overall QBER induced by her (Eq. ([8])) and 
the overall gain induced by her (Eq. ^j) within 10% of 
the normal operating values. We assume that Eve does 
not interfere with the detection error probability; thus, 
we still have elector = as in the normal situation and 
the QBER of the single- photon signals, ei, is computed 
as in strategy two. We show in Table [TTTI two instances in 
which Eve's combination of the phase-remapping attack 
and the fake signals attack achieves positive key gener- 
ation rates. In both instances, Alice and Bob simply 
use the post-processing steps from GLLP and no B step 
to distill secret keys as described earlier, with the QKD 
model parameters shown in Table UJ and /i = 8 x 10~ 4 . 
In this example, both the normal situation and the hos- 
tile situation look similar to Alice and Bob. The normal 
situation arises when Eve is not present while the hostile 
situation arises when Eve launches this attack strategy. 
Since both situations give rise to the same overall QBER 
and overall gain, Alice and Bob are unaware of which sit- 
uation they are in and thus distill keys at the same key 
generation rate in both situations. However, no secret 
key can be generated in the hostile case, since it corre- 
sponds to an entanglement-breaking channel (l8| . Thus, 
if Alice and Bob are unaware of the Trojan horse attack, 
they may generate keys that are compromised by Eve. 

Note that the values of the dark count probability Yq 
in Table IIIII are lower than the normal value given in 
Table UJ While lowering the dark count probability may 
be difficult to achieve in practice, Eve may realize this 
strategy by increasing the dark count probability in the 
normal situation instead. In addition, we point out that 
dark count probability on the order of 10 -9 has been at- 
tained experimentally [35[; thus, the values of the dark 
count probability Yo shown in Table UTTI arc realistic. We 
also note that the discontinuity in Fig. 2] at S = does 
not manifest as a problem in this attack for the weak 
coherent-state source. This is because the phase differ- 
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ence 5 is chosen to match the overall QBER and gain 
with some normal operating values. In normal scenarios, 
5 is set to some non-zero value. 

We remark that although the key generation rates in 
the three examples may not be very significant, they do 
raise the awareness that the Trojan horse attack we pro- 
pose can be detrimental to Alice and Bob. 



VI. CONCLUSIONS 

We have proposed a realistic Trojan horse attack, the 
phase-remapping attack, for two-way quantum key dis- 
tribution systems implementing the BB84 protocol. We 
have shown that, when Alice and Bob are unaware of our 
attack, there are situations in both the perfect-single- 
photon-source case and the weak-coherent-state-source 
case that the final key shared between them is com- 
promised and Eve has some information on it. Specifi- 
cally, for the perfect-single-photon-source case, when the 
QBER is larger than 14.6%, Alice and Bob may distill 
a compromised key. For the weak-coherent-state-source 
case, we have given three examples (two of which are 
combined with a fake signals attack) in which the final 
keys are insecure. Note that our attack is feasible with 
only current technology and thus is highly practical for 
Eve to implement. Therefore, it is important for Alice 
and Bob to be aware of the possibility of our attack and 
to guard against it by only generating a key when the 
QBER is low enough. 

We remark that the fact that we demonstrated the in- 
security of a key guaranteed to be secure by some existing 
security proofs does not imply that the proofs are incor- 
rect. It is because the Trojan horse attack we demon- 
strated corresponds to performing operations and using 
information lying outside the Hilbert space assumed in 
the proofs. These extra operations and information are 
granted to us by the practical implementations of the 
BB84 protocol. Thus, while a QKD protocol may be un- 
conditionally secure, a realistic implementation of it may 
open up security loopholes via extra dimensions. 



APPENDIX A: MINIMIZATION OF QBER 



The normalized bit error rate is (c.f. Eq. Q) 



QBER 



£toEj=o UzlWiLjW? \j z ) 



(Al) 



where Li and Bi are given in Eq. ((4| and Eq. ((5]), re- 
spectively, and W}Wi = Mi are the POVM elements. 
We want to minimize QBER over the eight independent 
row vectors (j z \ Wi each with two elements. At least one 
of the eight must be non-zero, because otherwise all Wi 
would be zero and there would be no qubits sent to Bob. 
Since QBER is not a sum of eight independent ratios, 



QBER + 



{u\w % uw\\ 3z 

tl 



^\WiBiW}\j 



(A2) 



it may appear at first sight that the minimization of 
QBER is not trivial. However, it turns out that we can 
minimize each ratio independently and set QBER to be 
the smallest ratio by assigning zeros to the other seven 
vectors. We show this by the following claim: 

Claim 1 Given two ratios, ^ and I 1 , if 21 < r 1 , then 

ai <^ ai+fri 

a 2 — (12+02 

Therefore, we consider separately minimizing each ratio, 
which can be written as 



2 LiB i *\ Cji ) 



(Cji\Cji) 



(A3) 



where (cji\ — (j z \WiB? is a row vector with two ele- 

_i _j_ 

ments. The eigenvector of B i 2 LiB i 2 corresponding to 
the minimum eigenvalue minimizes Eq. (|A3|1 . The min- 
imum eigenvalue among all i's is the minimum QBER, 
which is the top curve plotted in Fig. [U It is not difficult 
to ensure that the POVM elements satisfy Ei=o W\Wi < 
I. Note that we can always scale the POVM elements (by 
the same factor) without affecting the QBER. Thus, it is 
always possible to find a scaling such that these POVM 
elements and an additional one corresponding to sending 
a vacuum state to Bob add up to identity. 



APPENDIX B: REVIEW OF QKD MODEL AND 
KEY GENERATION RATE FOR REALISTIC 
SETUPS 

We first review a widely-used model for realistic QKD 
setup (see, e.g., [28|, [36|]). This model is suitable for fiber- 
based QKD systems. We then summarize the key gener- 
ation rate from GLLP [§] and the B step [H, H3> H3 , for 
the weak-coherent-state-source case. 

Source: The source is a single-mode laser source. We 
assume that the phase of each pulse is randomized. Thus, 
the laser source emits pulses that are a classical mixtures 
of the photon number states with a Poisson distribution: 



oc 

\ - M _ 



(Bl) 



where fi is the mean photon number. 

Transmission: The quantum channel is the optical 
fiber and we quantify the loss in the optical fiber by the 
probability that an input photon is lost at the end of the 
transmission. Let a in dB/km be the loss coefficient of 
the optical fiber and I be the fiber length in km. Then, 
the probability that the input photon is not lost is equal 
to 10 - *K 
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Detection: We assume Bob is equipped with thresh- 
old detectors. Since they are not completely efficient, 
there is some chance that they do not produce a click 
even when there are some photons present at the inputs. 
The probability that Bob's detector detects the presence 
of an input photon is defined as Bob's detection efficiency 
VBob- Combining the loss in the quantum channel and 
the inefficiency of Bob's detector, we arrive at the over- 
all transmission efficiency, n. It is the probability that a 
photon is detected given that one has been sent, and is 
given by 



'1 



= 10" 



'"Bob- 



(B2) 



When the input signal contains more than one photons, 
the signal is detected if at least one photon is detected. 
Thus, the transmission efficiency for an n-photon signal 
is 



Vn 



l-(l-r,) n . 



(B3) 



When there is no input to Bob's detector, there is a 
possibility that it generates a detection event. This is due 
to the intrinsic detector's dark counts, the background 
spray, and the leakage from timing signals. We denote 
the probability of this false detection event as ^detector- 
Suppose that there are two detectors in the system. We 
denote the probability of false detection for the system 

&S Pdark = 2pdetector(l — Pdctector)- 

When there is a double-click event, which occurs be- 
cause of dark counts or detection of a multi-photon sig- 
nal, we impose that Bob takes one of the bit values ran- 
domly [alSl- This is consistent with the so-called "squash 
operation" used in the security proof of GLLP [9(. 

More concretely, the security proof of GLLP assumes 
that the squash operation is performed by Eve. This op- 
eration is a mapping from a multi-photon state to a qubit 
state. Thus, under this assumption, Eve always sends 
a qubit state to Bob. In this paper, we directly apply 
the result of GLLP to our calculations of key generation 
rates and therefore we assume the squash operation with- 
out proof. We consider two-way classical post-processing 
in this paper and our squash-operation assumption sim- 
plifies our analysis. We remark that Koashi [38| has 
proved the security of one-way classical post-processing 
type QKD for a threshold detector model without requir- 
ing the squash-operation assumption. 

Yield, QBER, gain: Let us define the yield Y n , the 
quantum bit error rate (QBER) e„, and the gain Q n . The 
yield, Y n , is defined as the probability that Bob detects 
a signal conditional on Alice's n-photon emission: 

Y n = Pr{Detection by Bob| 

Alice sent n-photon state}. (B4) 

The yield is basically a sum of the probabilities of the 
error events and the no-error events. The fraction of the 
error events in the total probability is the quantum bit 



error rate e„: 

e„ = Pr{ Bob's result is incorrect | 
detection by Bob A 
Alice sent n-photon state}. (B5) 

The gain of the n-photon state is 

Q n = PrjDetection by Bob A 

Alice sent n-photon state} (B6) 
= Y n e~^ n /n\. (B7) 

The overall gain and the overall QBER are the weighted 
averages of all the n-photon gains and QBER's: 



?signal ^ Y n 6 ^ fl jl 



E. 



1 



signal 



Signal n=Q 



V/n! 



(B8) 



(B9) 



These two are parameters that Alice and Bob measure 
during a QKD experiment and can be used to determine 
the key generation rate Q . 

Normal situation: When Eve is not present, we as- 
sume that signals are emitted by the weak coherent-state 
source at Alice's side, travel through the optical fiber suf- 
fering some loss, and reach Bob on his detectors. Under 
this situation, the normal values for the yields and the 
QBER for BB84 can be obtained as 

Y n = Pdark(l - Vn) + Vn (BIO) 
e n = [f>dark(l — rj n )/2 + ]/Y n , (Bll) 

where edotoctor is a parameter representing the misalign- 
ment of the detector setup. For the overall gain and the 
overall QBER, their normal values are 



^signal 
-^signal 



Pdarke m + l- 
1 rPdarke" 



"/"/ 



^signal 2 

(1 - e" W )e de tector] 



(B12) 



(B13) 



Key generation rate: Once Alice and Bob have mea- 
sured the overall gain and the overall QBER, the key 
generation rate may be obtained by using a result in 
GLLP [9] as follows: 



R — TJ^Qsignal [ — /(^signal )#2 (-^signal) 

Q(l-H 2 (e p ))], 



(B14) 



where /(•) is the error correction efficiency as a function 
of the QBER, H 2 (p) = -p\og 2 (p) - (1 - p) log 2 (l - p) 
is the binary entropy function, Q, = Qi/Q S ignai is the 
fraction of single-photon states, e p is the phase error 
rate of the single-photon states, and tb is the fraction 
of bits retained after B steps (rg = 1 if no B step is 



12 



performed). The factor of 1/2 is the fraction of bits re- 
tained after basis reconciliation for BB84. The first term 
in the bracket is related to error correction, while the 
second term is related to privacy amplification. In this 
equation, Q\ and e p are not directly measured, but they 
may be bounded by assuming the worst-case situation 
@ . We may pessimistically assume that the overall gain 
Qsignai is contributed by multi-photon signals as much 
as possible, and all the errors come from single-photon 
detection events, leading to Qi = Q s i gn ai — Pmuhi an d 
ei = ^signaiQsignai/Qi, where p multi is the probability 
of Alice emitting multi-photon signals. Before the post- 
processing using B steps (which we describe next), the 
phase error rate is equal to the bit error rate for the 
single-photon states, i.e. e p — ei. 

B step: Optionally, Alice and Bob may perform one 
or more B steps by using two-way classical communi- 
cations to increase the achievable secure distance. The 
B step was analyzed in Ref. [l|| for the single-photon 
source and in Ref. [U H3] for the weak coherent-state 
source. Each B step involves the following operations: 
Alice and Bob first randomly pair up their bits, say aq, 
X2 on Alice's side and the corresponding y\, yi on Bob's 
side. They compute the parities of the pairs, x\ © X2 and 



Z/i © J/2 , and publicly compare them. If both parities are 
the same, they keep x\ and y\ and discard Xi and yi\ 
otherwise, they discard aq, X2, yi, and 7/2 • After each 
B step, the bit and phase error rates and the fraction of 
the single-photon states change. We summarize the up- 
date formulas for the changes after running one B step 
as follows [13: 



n' = 



» 2 (ef + (l- ei ) 2 ) 

^signal + (1 — -E-signal) 2 



EL 



gnal 



ignal 



-^signal + (1 ^signal) 2 



(B15) 
(B16) 
(B17) 

1 - e? + (l- ei ) 2 (B18) 
r' B = r s (S 2 ignal + (l-£; signal ) 2 )/2, (B19) 

where the primed (unprimed) variables are the new (old) 
values. After running some number of B steps, we may 
obtain the key generation rate by using Eq. (|B14|) . 



, _ 2e p (l — ei — e p ) 
£p ~ e 2 + (l- ei ) 2 
el 2 

ei = 
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